FIG. 1 depicts a schematic diagram of the salient components of a typical network in the prior art, interconnected as shown. Telecommunications network 100 comprises wireless network portion 110 and wireline network portion 120. Wireless clients 101-1 through 101-4 and access points 102-1 and 102-2 constitute wireless network portion 110. Corporate intranet 104, firewall 105, and wireline clients 106-1 through 106-3 constitute wireline portion 120. Secure access server 103 allows access from wireless network portion 110 to wireline network portion 120.
Wireline clients 106-1 through 106-3 are communication stations that can directly access corporate intranet 104, for example, through an Ethernet cable that is plugged into a wall jack in a corporate building. The physical security of the corporate building provides significant assurance that only authorized personnel may enter the building and connect a client to the network via a wall jack. In some instances, there may be an additional authentication mechanism in place to further ensure that a particular client connected to the network through a wall jack is authorized to access the network. In other instances, there is no additional authentication mechanism. Once a client is plugged into a wall jack and has passed the authentication procedure, the client can then access resources (e.g., mail servers, printer servers, database servers, other clients, etc.) anywhere on corporate intranet 104 or can access resources on the public Internet through firewall 105.
In contrast, wireless clients 101-1 through 101-4 are required to pass an authentication procedure, supervised by secure access server 103, to access corporate intranet 104. Wireless clients 101-1 through 101-4 are required to authenticate themselves through secure access server 103, which wireline clients 106-1 through 106-3 are not required to do because of the inherent differences between wireless and wireline access. For example, although access point 102-1 can be physically located within a physically secure corporate building, wireless client 101-1 might be located outside that building, in a car parked across the street from the building and operated by a person who is unauthorized to access the network.
Prior to passing the authentication procedure, a wireless client is assigned, at the time it first associates with an access point, a private network layer (e.g., Internet protocol, etc.) address that is usable only within “insecure,” wireless network portion 110. Only when the client passes the authentication procedure is it assigned a routable network layer address to communicate with wireline network portion 120.
One authentication procedure in the prior art involves a virtual private network (VPN) server. The VPN server used is of the type that has also been applied to the problem of providing security for (i) access to corporate intranets by dial-up access over the public telephone network or (ii) access to corporate intranets by the establishment of secure VPN tunnels through the networks of public internet access providers employing such physical access facilities as digital subscriber lines and cable modem services.
One advantage of using a VPN server for authentication is that corporations have extensive experience with the use of VPN servers and have found VPN servers convenient to use.